VIRTUAL MACHINE IMAGE UPDATE MANAGEMENT PLATFORM

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 63/720,900 filed on Nov. 15, 2024, the contents of which are hereby incorporated by reference.

TECHNICAL FIELD

The present disclosure relates generally to virtual machine image management, and more specifically to managing virtual machine images deployed in a computing environment as code updates are released.

BACKGROUND

Virtual machine (VM) images are files containing code and other resources used to realize virtual machines. Executing the code within a VM image causes a VM to be deployed within a computing environment.

Updates in code included in VM images may result in changes to how the corresponding VM behaves. Code may be updated, for example, to improve software performance or to patch out vulnerabilities. For example, when a vulnerability in code may expose the VM to cybersecurity threats, the code of the VM image used to realize that VM may be updated in order to patch out the vulnerability. As a result, maintaining VM images can serve to maintain performance and/or security within a computing environment.

Solutions which aid in maintaining VM images would therefore be desirable.

SUMMARY

A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.

Certain embodiments disclosed herein include a method for virtual machine image management. The method comprises: generating a plurality of software packages, wherein each software package is generated using a respective set of code; building a plurality of VM images based on a plurality of files, wherein building each VM image further comprises combining a subset of the plurality of software packages according to a corresponding file of the plurality of files, wherein each file includes a set of instructions for combining the subset of the plurality of software packages in order to build the corresponding VM image; and pushing the plurality of VM images in a repository.

Certain embodiments disclosed herein also include a non-transitory computer-readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: generating a plurality of software packages, wherein each software package is generated using a respective set of code; building a plurality of VM images based on a plurality of files, wherein building each VM image further comprises combining a subset of the plurality of software packages according to a corresponding file of the plurality of files, wherein each file includes a set of instructions for combining the subset of the plurality of software packages in order to build the corresponding VM image; and pushing the plurality of VM images in a repository.

Certain embodiments disclosed herein also include a system for virtual machine image management. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: generate a plurality of software packages, wherein each software package is generated using a respective set of code; build a plurality of VM images based on a plurality of files, wherein building each VM image further comprises combining a subset of the plurality of software packages according to a corresponding file of the plurality of files, wherein each file includes a set of instructions for combining the subset of the plurality of software packages in order to build the corresponding VM image; and push the plurality of VM images in a repository.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, further including or being configured to perform the following step or steps: configuring each of the plurality of VM images based on the plurality of files, wherein the set of instructions for each file further defines a configuration for the corresponding VM image.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, further including or being configured to perform the following step or steps: monitoring for changes to a plurality of portions of code among the plurality of software packages; identifying an update based on the monitoring, wherein the update includes a change in at least one portion of code of the plurality of portions of code among the plurality of software packages; and rebuilding at least one VM image of the plurality of VM images using a new version of the at least one portion of code.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, wherein the plurality of portions of code among the plurality of software packages is a plurality of first portions of code, further including or being configured to perform the following step or steps: establishing a pipeline with respect to the plurality of software packages, wherein the pipeline is defined such that a software package of the plurality of software packages containing a dependency to a second portion of code is downstream of the second portion of code; and detecting an upstream change for at least one package of the plurality of packages, wherein the update is identified based on the detected upstream change.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, further including or being configured to perform the following step or steps: classifying the identified update into a classification; and selecting the at least one VM image to be rebuilt based on the classification.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, wherein the classification indicates that the change in the at least one portion of code is a change to patch a vulnerability.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, wherein the plurality of VM images corresponds to a plurality of virtual machines, further including or being configured to perform the following step or steps: ingesting cybersecurity data from a computing environment in which the plurality of virtual machines is deployed; identifying a vulnerability being exploited based on the ingested cybersecurity data; and rebuilding at least one VM image of the plurality of VM images, wherein the rebuilt at least one VM image include a vulnerable software package of the plurality of software packages, wherein the vulnerable software package has the identified vulnerability.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, further including or being configured to perform the following step or steps: redeploying the rebuilt at least one VM image.

Certain embodiments disclosed herein include a method, non-transitory computer-readable medium, or system as noted above or below, wherein each software package is a unit of code defined with respect to at least one function.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.

FIG. 1 is a network diagram utilized to describe various disclosed embodiments.

FIG. 2 is a flow diagram illustrating building and maintaining an image repository in accordance with various disclosed embodiments.

FIG. 3 is a flow diagram illustrating pushing images for deployment in accordance with various disclosed embodiments.

FIG. 4 is a flowchart illustrating a method for virtual machine image update management according to an embodiment.

FIG. 5 is a flowchart illustrating a method for creating a virtual machine image repository according to an embodiment.

FIG. 6 is a flowchart illustrating a method for updating a virtual machine image repository according to an embodiment.

FIG. 7 is a flowchart illustrating a method for detecting a virtual machine image redeployment trigger according to an embodiment.

FIG. 8 is a schematic diagram of an image manager according to an embodiment.

DETAILED DESCRIPTION

The various disclosed embodiments include a virtual machine image update management platform and techniques for virtual machine image update management. The disclosed embodiments may be utilized to manage deployments of virtual machine images. Each virtual machine image is a file including executable code utilized to realize a given virtual machine. More specifically, each virtual machine image includes all of the code utilized to run a given virtual machine. To this end, a given virtual machine image includes libraries, binaries, settings, kernel, operating system, applications, and other data used to realize a corresponding virtual machine. Various disclosed embodiments may allow for efficiently rebuilding and redeploying virtual machine images for use in computing environments.

To facilitate building virtual machine images, various disclosed embodiments utilize virtual machine image recipes in order to combine packages of code and configure virtual machine images according to a predefined set of heuristics. To this end, each virtual machine image recipe may be realized as a file including a set of instructions for building and configuring a virtual machine according to a predetermined definition of the virtual machine. The set of instructions of each virtual machine image recipe may therefore be utilized to effectuate a set of rules for building and configuring the virtual machine.

More specifically, the set of instructions of each virtual machine image recipe defines a corresponding virtual machine image with respect to a combination of packages of code such that the virtual machine image built using a given virtual machine image recipe includes each package among the combination of packages of the virtual machine image recipe. To this end, the set of instructions of each virtual machine image includes a description of each package to be used for building the virtual machine image and a description of how to obtain a latest version or release of the code of each package. The description of each package may be or may include an identifier (e.g., a name or identification number) of each portion of code used to create the package. The description of how to obtain the latest version or release of the code of each package may be or may include an indication of a location where each portion of code for each package is stored (e.g., in one or more code repositories). The set of instructions of each virtual machine further includes definitions of kernels, operating systems, applications, and other code utilized to run the virtual machine, and may define how to obtain such code utilized to run the virtual machine by indicating locations of such code.

Accordingly, the virtual machine image recipes provide instructions for building virtual machine images defined with respect to code units in the form of packages, where combinations of packages may be used to realize different virtual machine images. In this regard, the packages may act as building blocks for virtual machine images, with the virtual machine image recipes providing the directions for combining these building blocks in order to assemble the code of a virtual machine image. That is, the packages may be adapted to perform discrete functions or sets of functions which might be utilized by different virtual machine images such that a given package may be used to provide its respective functions to different virtual machine images whose virtual machine image recipes indicate that the package is to be used for building their corresponding virtual machine images.

In an embodiment, using virtual machine image recipes, virtual machine images are built. More specifically, the definitions among the virtual machine image recipes are used to identify portions of code belonging to packages for each virtual machine image. The portions of code may include, but are not limited to, binaries and any associated files. The portions of code are obtained and used to create the packages. Using the virtual machine image recipes, sets of the packages are combined into virtual machine images and configured. Once a given virtual machine image has been built, it may be pushed to a virtual machine image repository accessible to one or more systems (e.g., servers) which are configured to run virtual machines using the virtual machine images.

In various embodiments, the repository storing the virtual machine images may be managed by updating images in the repository. More specifically, when a given portion of code (e.g., a given binary) used by a package is subject to a code release, the new version of that portion of code may be obtained and used to recreate the package. Once the package has been recreated, the virtual machine image may be rebuilt using the recreated package according to the virtual machine image recipe of the virtual machine image. The rebuilt virtual machine image may be pushed to a virtual machine image repository accessible to systems which utilize the virtual machines, thereby updating the virtual machines in computing environments where those systems utilized the virtual machines.

In order to aid in managing the repository, in an embodiment, a pipeline is established with respect to code dependencies. The pipeline defines dependencies between portions of code among different packages, and therefore defines relationships between such portions of code which may be used to determine when a package should be updated. That is, when a portion of code is the subject of a new code release or otherwise when a new version of that code is made available, any package containing that code or containing code which depends from that code may be identified for recreation. To this end, code releases may be monitored in order to identify upstream releases or other project updates for code among the packages indicated among the virtual machine image recipes. When a project update is detected, any packages containing code which has been updated in the project update may be recreated, and any virtual machine images built using packages which have been recreated may be rebuilt.

In some embodiments, in order to reduce the amount of computing resources utilized to rebuild and transmit virtual machine images, virtual machine images may be redeployed according to image redeployment rules. Such image redeployment rules may define triggers for redeploying virtual machine images such that, for example, a virtual machine image is only rebuilt, transmitted, redeployed, or a combination thereof, when a redeployment trigger is detected with respect to the virtual machine image. Further, any or all of the redeployment triggers may be defined with respect to cybersecurity data such as, but not limited to, alerts or other cybersecurity data indicating that a vulnerability is being exploited. More specifically, using such cybersecurity data, a vulnerable package may be identified. Such a vulnerable package is a package containing code which includes the vulnerability that is being exploited. Virtual machine images containing vulnerable packages are identified using the virtual machine image recipes, and any virtual machine images containing vulnerable packages may be rebuilt using packages containing new code (e.g., new code releases designed to patch or otherwise address the vulnerability).

The disclosed embodiments therefore provide a platform for maintaining virtual machine images in a manner that allows for automatically rebuilding virtual machine images with new code as new code releases are provided. By defining virtual machine image recipes with respect to combinations of code packages, each virtual machine image may effectively be defined with respect to a set of discrete units of code. This allows for identifying updates to code used by different virtual machine images, thereby allowing for automatically identifying code updates which affect certain virtual machine images and therefore indicate that a given virtual machine image might be rebuilt. Identifying images to be rebuilt in this manner, in turn, allows for maintaining images with current versions of code, which improves security of computing environments in which the software containers are deployed.

In addition to improved maintenance of virtual machine images and the security of computing environments in which those images are deployed, utilizing redeployment triggers in accordance with certain embodiments allows for more efficiently deploying virtual machine images. More specifically, as noted above, virtual machine images may only be rebuilt and redeployed when redeployment triggers are detected. Accordingly, computing resources associated with rebuilding virtual machine images and transmitting rebuilt virtual machine images may be conserved. Additionally, when redeployment triggers are defined with respect to exploitation of vulnerabilities, such computing resources may be conserved while maintaining cybersecurity within computing environments in which the virtual machine images are deployed. That is, virtual machine images which are potential security risks may either be rebuilt when vulnerabilities in those virtual machine images are being exploited, or rebuilt as updates occur and redeployed when vulnerabilities in those virtual machine images are being exploited.

In this regard, VM image repositories populated using VM images as described herein may act as trusted sources for vulnerability-free or otherwise updated VM images. Moreover, by storing and providing software as fully built VM images, challenges with respect to installing individual packages within other software and potential compatibility issues may be avoided, thereby providing a smoother code deployment.

FIG. 1 shows an example network diagram 100 utilized to describe the various disclosed embodiments. In the example network diagram 100, computing environments 110 through 130 communicate with each other and with a user device 140 in order to realize various virtual machine image management techniques discussed herein. Any or all of such communications may be realized via one or more networks (not shown). Such a network may be, but is not limited to, a wireless, cellular or wired network, a local area network (LAN), a wide area network (WAN), a metro area network (MAN), the Internet, the worldwide web (WWW), similar networks, and any combination thereof.

As depicted in FIG. 1, the computing environment 110 is a computing environment in which a virtual machine (VM) image manager 111 is deployed or otherwise realized. The VM image manager 111 may be realized as or via a server (not separately depicted). An example schematic diagram which may be utilized to realize such a server is discussed further below with respect to FIG. 8.

The VM image manager 111 is configured to manage virtual machine images used in one or more computing environments such as, but not limited to, the computing environment 120. More specifically, the VM image manager 111 is configured to build virtual machine images using virtual machine image recipes as described herein. As noted herein, such virtual machine image recipes may be, may include, or may otherwise be realized as a file including a set of instructions for building and configuring a virtual machine according to a predetermined definition of the virtual machine. Such a recipe may be defined with respect to a set of packages as well as configuration data for configuring a virtual machine containing these packages and other code (e.g., kernel, operating system software, etc.) used to realize the virtual machine. The packages, in turn, are packages of code which may include code stored in one or more code repositories such as, but not limited to, the code repositories 131.

The virtual machine images created using the recipes may be stored in a VM image repository 112 for subsequent use. The recipes, along with other data used to build the virtual machine images (e.g., code retrieved from the code repositories 131, packages created using such code, and the like), may be stored in a database 113.

The computing environments 120-1 and 120-2 may be client computing environments owned or otherwise operated by an entity using one or more servers 122 acting as clients for the VM image manager 111, the VM image repository 112, or both. In the example implementation shown in FIG. 1, the computing environment 120-1 includes a VM image repository 121 which may be utilized to store virtual machine images built by the VM image manager 111 and used by the servers 122 to deploy virtual machines in the computing environment 120-2. To this end, the computing environment 120-2 includes one or more servers 122 running code used to realize virtual machines.

The computing environment 120-1 may further include one or more cybersecurity tools 123. Such cybersecurity tools 123 may be configured to monitor for potential cyber threats, to alert on potential cyber threats, to mitigate or remediate potential cyber threats, a combination thereof, and the like. In particular, in accordance with various disclosed embodiments, the cybersecurity tools 123 may be configured to alert on potential cyber threats and to include data indicating potentially vulnerable virtual machine images or portions thereof (e.g., packages), which in turn may be utilized to determine which virtual machine images may require rebuilding or redeployment (e.g., redeployment of the corresponding virtual machine) as described herein. To this end, such alerts may be sent from the cybersecurity tools 123 to the servers 122, to the VM image manager 111, or both.

The computing environments 130-1 through 130-n (where n is an integer having a value greater than or equal to 1, also referred to as a computing environment 130 or as computing environments 130 for simplicity) may each include one or more code repositories 131. Such code repositories 131 may store code and, in particular, code released by developers or other entities that provide code intended to be packaged with other code to create code packages. Such code may be updated, for example, in new code releases, in order to patch vulnerabilities or otherwise improve the code. Code stored in the code repositories 131 may be downloaded (e.g., by the image manager 111) and utilized to build virtual machine images as discussed herein.

The user device 140 may be, but is not limited to, a personal computer, a laptop, a tablet computer, a smartphone, a wearable computing device, or any other device capable of receiving and displaying notifications. The user device 140 may be owned, operated, or otherwise used by a person or entity which may manage code deployed in the computing environment 120. As a non-limiting example, the user device 140 may be operated by a developer who manages code at least some of the virtual machines deployed in the computing environment 120. The user device 140 may receive notifications (e.g., from the image manager 111) indicating that certain virtual machine images have been built or rebuilt and stored in the VM image repository 112. The user device 140 may be used to cause the servers 122 to download such virtual machine images for virtual machine deployment (e.g., to download such virtual machine images and either store those in local storages of the servers 122, in the image repository 121, or both).

It should be noted that FIG. 1 depicts an implementation of various disclosed embodiments, but that at least some disclosed embodiments are not necessarily limited as such. Other deployments, arrangements, combinations, and the like, may be equally utilized without departing from the scope of the disclosure. For example, the image manager 111 may be deployed or otherwise realized in the computing environment 120-2 used to host the servers 122 on which virtual machines are deployed without departing from the scope of at least some disclosed embodiments. Generally speaking, in at least some embodiments, any of the computing environments 110 through 130 may be combined at least partially (e.g., combining entities from different computing environments), or may be further separated into more computing environments (not shown), without departing from the scope of the disclosure.

FIG. 2 is a flow diagram 200 illustrating building and maintaining a virtual machine (VM) image repository in accordance with various disclosed embodiments. FIG. 2 depicts communications between and among the VM image repository 112, the VM image manager 111, and the code repositories 131, FIG. 1.

As depicted in FIG. 2, at 210, the VM image manager 111 identifies one or more VM image recipes to be utilized for building VM images in order to populate the VM image repository 112. Such recipes may be predetermined or otherwise provided by an entity that designs VM images for use in deploying virtual machines. As discussed herein, each recipe is a file including code defining packages to be combined in order to build a corresponding VM image.

At 220, the VM image manager 111 obtains code from one or more of the code repositories 131. As discussed herein, such code includes code used to create packages or otherwise to build VM images. The obtained code may be obtained as packages, or may be obtained as other discrete portions of code to be used for creating packages. The obtained code may further include additional code used to run a virtual machine (e.g., code of kernels and operating systems).

At 230, the VM image manager 111 builds one or more VM images and stores the built VM images in the VM image repository 112. More specifically, as described herein, the VM image manager 111 builds the VM images using VM image recipes (e.g., the recipes identified at 210). That is, the VM image manager 111 builds the VM images by combining packages and configuring the VM images according to their corresponding recipes. Moreover, the VM images may be built in order to include other code used to run the virtual machine such as, but not limited to, code of kernels, operating systems, applications, or other functions used to run the virtual machine.

Once the VM image repository 112 has been populated with images built using the recipes, the VM image repository 112 may be updated as code used by those images are updated. To this end, in some embodiments, at 240, the VM image manager 111 monitors for updates to code in the code repositories 131 in order to identify updates to code (e.g., code releases) for code used by VM images.

More specifically, as described herein, the VM image manager 111 may be configured to monitor for updates with respect to upstream code (e.g., as determined based on code dependencies of code in VM images). When an upstream update occurs in one of the code repositories at 250, the VM image manager 111 may download the updated code at 260. The updated code, in turn, may be utilized to rebuild and store one or more of the VM images at 270 (e.g., VM images including older versions of the updated code may be rebuilt with the updated code).

It should be noted that FIG. 2 depicts a flow including both building and rebuilding VM images, but these processes may be realized as separate flows without departing from the scope of the disclosure. Additionally, in some embodiments, updated code may only be downloaded, images may only be rebuilt, or both, when certain conditions are met. As a non-limiting example, code may only be automatically downloaded and used to rebuild VM images when the code contains a vulnerability patch or other cybersecurity-relevant updates. In such embodiments, code may be manually downloaded and used to rebuild images at the direction of an operator (e.g., a user of the user device 140, FIG. 1) when inputs indicating certain portions of code to download, certain VM images to check for potential code updates, or both, are received.

FIG. 3 is a flow diagram 300 illustrating providing a new image for deployment in accordance with various disclosed embodiments. FIG. 3 depicts communications between and among the VM image repository 112, the VM image manager 111, the VM image repository 121, and the server 122, FIG. 1.

As depicted in FIG. 3, optionally at 310, a redeployment trigger is detected with respect to a virtual machine. Such a redeployment trigger may be, for example but not limited to, a detection of a vulnerability in a virtual machine or otherwise in a virtual machine image of a virtual machine.

At 320, a new VM image of the virtual machine is retrieved by the VM image manager 111 from the VM image repository 112. The new VM image may be an updated VM image, which may be a rebuilt VM image as discussed herein or otherwise a version of the VM image containing new or updated code.

At 330, the new VM image is pushed by the VM image manager 111 to the VM image repository 121. That is, the new VM image may be pushed to a repository owned, operated, or otherwise used by an entity who owns or operates the servers 122, FIG. 1. Such a repository 121 is accessible to the server 122 such that the server 122 may download or otherwise retrieve VM images stored in the VM image repository 121. To this end, at 340, the new VM image is stored in the VM image repository 121.

When the new VM image has been stored in the VM image repository 121, the server 122 may request the new VM image from the VM image repository 121 at 340. As a non-limiting example, the server 122 may request the new VM image in response to receiving an alert (not shown) from the VM image manager 111. At 350, the VM image repository returns the new VM image to the server 122.

FIG. 4 is a flowchart 400 illustrating a method for virtual machine (VM) image update management according to an embodiment. In an embodiment, the method is performed by the VM image manager 111, FIG. 1.

At S410, a VM image repository is created. In an embodiment, creating the VM image repository includes building one or more VM images according to respective VM image recipes and storing the built images in the VM image repository.

As discussed herein, such a VM image recipe may be or may include a file having executable code utilized to realize a virtual machine. To this end, each VM image recipe may be realized as a file including a set of instructions for building and configuring a virtual machine according to a predetermined definition of the virtual machine. The set of instructions of each VM image recipe may therefore be utilized to effectuate a set of rules for building and configuring the virtual machine

More specifically, the set of instructions of each VM image recipe defines a corresponding VM image with respect to a combination of packages such that the VM image built using a given VM image recipe includes each package among the combination of packages of the VM image recipe. To this end, the set of instructions of each VM image includes a description of each package to be used for building the VM image and a description of how to obtain a latest version or release of the code of each package. The description of each package may be or may include an identifier (e.g., a name or identification number) of each portion of code used to create the package, a location (e.g., a location within a repository or otherwise a location in storage) of the package or of the code used to create the package, both, and the like. The description of how to obtain the latest version or release of the code of each package may be or may include an indication of a location where each portion of code for each package is stored (e.g., in one or more code repositories).

Each VM image built using a corresponding VM image recipe includes all of the code utilized to run a given virtual machine, and may further include libraries, binaries, settings, kernels, operating systems, applications, and other data used to realize the corresponding virtual machine. The corresponding VM image recipe for a given VM image may therefore identify such code and other data (e.g., by location in storage, by identifier, by a combination thereof, and the like) such that a VM image may be built at least by combining packages identified in the corresponding VM image recipe.

An example process for creating a VM image repository is described further below with respect to FIG. 5.

At optional S420, the VM image repository may be updated. As a non-limiting example, as new code releases are made available such that code used by VM images becomes updated, some or all of those VM images may be updated accordingly by downloading new code, packaging the new code into new packages, and combining the new packages according to the corresponding VM image recipes for VM images. To this end, in an embodiment, updating the VM image repository includes rebuilding one or more of the VM images stored in the VM image repository. An example process for updating the VM image repository is described further below with respect to FIG. 6.

At optional S430, a VM image redeployment trigger may be detected. The redeployment trigger may be defined such that VM images are only redeployed when certain criteria are met. To this end, in an embodiment, detecting the VM image redeployment trigger includes applying one or more redeployment trigger detection rules defined with respect to such criteria. In some embodiments, the redeployment trigger detection rules may be defined such that the trigger is detected when a vulnerability in a VM image is being exploited.

In some embodiments, the redeployment trigger may be defined with respect to cybersecurity threats such that a VM image is redeployed when a cyber threat or potential cyber threat is detected, when a vulnerability is identified, and the like. In a further embodiment, a redeployment trigger is detected when a vulnerability in one or more virtual machines deployed using one or more of the VM images is actively being exploited. An example process for detecting a VM image redeployment trigger based on cybersecurity data which may be utilized at S430 is described further below with respect to FIG. 7.

At S440, the VM image is pushed to a repository (e.g., the image repository 112 or the image repository 121, FIG. 1) for storage. The VM image may be retrieved by one or more servers (e.g., the servers 122, FIG. 1) from the repository, either directly or by sending a request to a system having access to the repository (e.g., the VM image manager 111, FIG. 1).

FIG. 5 is a flowchart S410 illustrating a method for creating a virtual machine image repository according to an embodiment.

At S510, VM image recipes to be used for creating VM images are identified. The identified VM image recipes may be or may include VM image recipes among a predetermined list of recipes to be used for populating, for example, a given VM image repository. Such a predetermined list may be defined, for example, by an entity which owns or operates a computing environment (e.g., the computing environment 120, FIG. 1) in which the VM image repository resides, a computing environment in which servers utilize VM images stored in the VM image repository to deploy virtual machines, both, and the like.

As noted above, each VM image recipe may be or may include a file having executable code utilized to realize a given virtual machine. To this end, in an embodiment, each VM image recipe is realized as a file including a set of instructions for building and configuring a virtual machine according to a predetermined definition of the virtual machine. The set of instructions of each VM image recipe may therefore be utilized to effectuate a set of rules for building and configuring the virtual machine.

In a further embodiment, the set of instructions of each VM image recipe defines a corresponding VM image with respect to a combination of packages such that the VM image built using a given VM image recipe includes each package among the combination of packages of the VM image recipe. To this end, the set of instructions of each VM image includes a description of each package to be used for building the VM image and a description of how to obtain a latest version or release of the code of each package as discussed above, for example with respect to FIG. 4. In yet a further embodiment, the set of instructions for each VM image recipe further defines a configuration for the corresponding VM image, and the VM image built using a corresponding VM image recipe is configured in order to match the configuration defined in the corresponding VM image recipe.

At S520, code of software packages (also referred to as packages) represented in the identified VM image recipes is obtained. Such code may be, for example but not limited to, retrieved from one or more code repositories (e.g., one or more of the code repositories 131, FIG. 1). The code may include, but is not limited to, binaries or other code to be included in respective packages. In an embodiment, S520 may further include obtaining any associated files (e.g., files associated with respective binaries containing libraries or other resources to be used by those binaries), code used to realize virtual machines (e.g., code of kernels, operating systems, applications, etc.), both, and the like.

In an embodiment, the code may be included in package definitions of packages which define portions of code to be utilized for creating each package. Such package definitions may identify code with respect to identifier, location (e.g., location in storage), and the like. In such an embodiment, the code may therefore be obtained based on such package definitions, for example by obtaining code having certain identifiers or locations in storage.

At S530, software packages (also referred to as packages) are generated using the obtained code. In an embodiment, the packages may be generated using package generation rules which define how each package is to incorporate each portion of code included therein. More specifically, the package generation rules may define templates or other predetermined portions of packages into which portions of code are to be inserted or otherwise which are to be combined with portions of code.

In some embodiments, any or all of the obtained code may be retrieved in a pre-packaged format (e.g., already organized into software packages). In such embodiments, any such pre-packaged software packages may be utilized to build VM images during subsequent processing.

At S540, VM images are built using their corresponding VM image recipes and the packages generated at S530, any pre-packed software packages, or both. That is, each VM image is built using its corresponding VM image recipe by at least combining packages according to the VM image recipe. More specifically, for each recipe, a subset of the packages generated at S530 or otherwise a subset of a set of packages is combined in order to build the corresponding VM image for the recipe.

At S550, the VM images are configured according to their corresponding VM image recipes. As noted above, each VM image recipe may include configuration instructions or otherwise provide configuration data indicating how the VM image is to be configured.

At S560, the built VM images are stored in one or more VM image repositories (e.g., the VM image repository 112, FIG. 1) for subsequent use or access.

FIG. 6 is a flowchart S420 illustrating a method for updating a virtual machine image repository according to an embodiment.

At S610, a pipeline is established at least with respect to software packages used for building VM images (e.g., software packages indicated in VM image recipes as described herein). The pipeline may be defined with respect to one or more software projects (e.g., a software infrastructure project), and may further be defined from upstream to downstream. That is, the pipeline indicates or otherwise represents dependencies between portions of code deployed as part of the software project from upstream to downstream, where packages or portions of code containing dependencies to other code are considered to be downstream of the other code (which is considered to be upstream of the code which depends from it).

Accordingly, in an embodiment, the pipeline is established with respect to code dependencies. In a further embodiment, the pipeline defines dependencies between portions of code among different packages. That is, the pipeline defines relationships between such portions of code which may be useful for determining when a package is to be updated. When a portion of code is the subject of a new code release or otherwise when a new version of that code is made available, any package containing that code or containing code which depends from that code may be identified for recreation.

At S620, project updates are monitored with respect to the pipeline. In an embodiment, monitoring for project updates includes monitoring code releases, version updates, or other changes in code related to the software project. When a code release or other change to a portion of code used or otherwise upstream from a package indicated in a VM image recipe is detected during the monitoring, that code release or other change may be identified as a project update as discussed with respect to S630. A code release may be determined as upstream from a package when the code release is for a portion of code from which the package depends (either directly via a reference to the portion of code among code of the package, or indirectly via a reference to code which in turn references other code that ultimately references the portion of code).

In an embodiment, the project updates may be detected based on certain activities such as, but not limited to, commits. To this end, the monitoring may be performed using update monitoring rules defined with respect to such activities such that project updates are detected when such activities occur (e.g., when a commit is made).

At S630, project updates are identified based on the monitoring. The project updates may be represented in data (e.g., textual data) indicating changes or other data indicative of updates to code used among entities represented in the pipeline. Such textual data may include, but is not limited to, log data, which may include textual data describing the nature of the changes, the reasons for the changes (e.g., to patch out a vulnerability or otherwise improve the code), both, and the like. As noted above, such project updates may be code releases, version updates, or other changes in code.

At optional S640, the identified project updates may be classified into one or more classifications. In an embodiment, classifying the updates includes applying one or more update classification rules defined with respect to, for example, keywords or key terms. As a non-limiting example, updates may be classified as either relating to cybersecurity or not relating to cybersecurity using update classification rules that define a given update as being related to cybersecurity when any of the following terms are included in a description of an update: “patch,” “vulnerability,” “cybersecurity,” “security,” and “CVE” (common vulnerabilities and exposures).

In another embodiment, classifying the project updates includes applying one or more machine learning models trained to classify textual data. Such machine learning models may be applied to text indicating changes or other data indicative of project updates identified during the monitoring.

In an embodiment, at least some of the classifications of the project updates are defined with respect to potential cybersecurity risks. That is, the classifications may indicate, for example, whether each update indicates a change meant to mitigate a cyber threat or remediate a vulnerability.

In some embodiments, the applied machine learning models may be or may include a language model such as a large language model (LLM). Such LLMs may be useful for querying with respect to text written in natural language in addition to or instead of code in order to unearth information about the contents of the text, code, or both. To this end, in such embodiments, classifying the project updates may include querying such a language model using a predetermined textual query. As a non-limiting example, such a textual query may be or may include “Please analyze the description of the updates and output a classification of either ‘patching a vulnerability’ or ‘not patching a vulnerability.’ The ‘patching a vulnerability’ output should be output when the description of the update indicates that the update was made to patch or fix a vulnerability in code, or if the code contains changes associated with patching vulnerabilities. The ‘not patching a vulnerability’ output should be output when the description of the update does not indicate that the update was made to patch or fix a vulnerability in code and the code does not contain any changes associated with patching vulnerabilities.”

In yet a further embodiment, such language models may be fine-tuned for classifying upstream changes. Such a fine-tuned model may be created by adjusting weights of a general purpose language model based on further training using training samples which include example text describing project updates, such as samples demonstrating both vulnerability patch updates and other updates (e.g., general performance updates or other changes which may not be related or may not be directly related to cybersecurity). Such a fine-tuned language model may be further trained based on code of such example updates.

At optional S650, VM images are selected for rebuilding. In an embodiment, the VM images to be rebuilt are selected based on the classifications. In a further embodiment in which the classifications are defined with respect to cybersecurity issues (e.g., “vulnerability patch” or “no patch”), VM images including code having project updates classified as being cybersecurity-related (e.g., “vulnerability patch” rather than “no patch”) may be selected as the VM images to be rebuilt. That is, VM images with packages (e.g., as defined in the VM image recipe for each VM image) containing code that has been updated to patch a vulnerability or otherwise remediate or mitigate a potential cyber threat may be selected for rebuilding.

Classifying updates with respect to cybersecurity factors therefore allows for automatically rebuilding images only when code changes are provided to remediate cybersecurity issues. In turn, such selective automatic rebuilding allows for conserving computing resources related to building, transmitting, storing, and deploying VM images. In this regard, it is noted that not all code releases are security critical or otherwise relevant to cybersecurity, and that rebuilding VM images using every such non-cybersecurity code release may utilize many computing resources in order to provide updates which do not significantly affect performance. Accordingly, automatically rebuilding images only for security-related updates may allow for conserving computing resources while still allowing for manual updates (e.g., selections of images to be rebuilt by a manual operator) in order to, for example, improve performance of VM images.

At S660, new versions of code to be used for rebuilding VM images are downloaded based on the identified project updates. When VM images to be rebuilt are selected as described with respect to S650, the new versions of code to be downloaded may include new versions of any code included in the selected VM images.

At S670, new packages may be generated using the downloaded code. In an embodiment, the new packages may be generated using package generation rules which define how each package is to incorporate each portion of code included therein. More specifically, each package including code which has been identified as being updated may be used to generate a respective new package including the updated code.

At S680, one or more VM images are rebuilt using the new packages. In an embodiment, the VM images are rebuilt based on their corresponding VM image recipes. For any VM image recipes identifying packages including one or more of the new packages, the corresponding VM image is therefore rebuilt using the new package instead of a previous version of the package, thereby creating an updated VM image by rebuilding the VM image with one or more new packages containing updated code.

At S690, the rebuilt images are stored in one or more VM image repositories (e.g., the repository 112, FIG. 1) for subsequent use or access.

FIG. 7 is a flowchart S430 illustrating a method for detecting a virtual machine image redeployment trigger according to an embodiment.

At S710, cybersecurity data is ingested. The ingested cybersecurity data may include, but is not limited to, events, alerts, notifications, or other data which may indicate potential cyber threats. More specifically, in an embodiment, the cybersecurity data includes data indicating vulnerabilities which are being exploited. In such embodiments, the cybersecurity data may further indicate specific packages, code releases, or other portions of code which include the vulnerability being exploited.

At S720, a vulnerability being exploited is identified based on the cybersecurity data. Identifying the vulnerability being exploited may include analyzing the cybersecurity with respect to a predetermined structure of the cybersecurity data (e.g., a known structure having a field which corresponds to a vulnerability being exploited) or otherwise analyzing the contents of the cybersecurity data (e.g., analyzing text of the cybersecurity data using natural language processing) in order to identify an indication of a vulnerability which is being exploited by a given cyber threat.

At S730, a vulnerable package is identified based on the cybersecurity data. The vulnerable package may be, but is not limited to, a package indicated in the cybersecurity data, or a package containing code indicated in the cybersecurity data. Identifying the vulnerable packages may include analyzing the cybersecurity with respect to a predetermined structure of the cybersecurity data (e.g., a known structure having a field which corresponds to a vulnerable package or vulnerable code) or otherwise analyzing the contents of the cybersecurity data (e.g., analyzing text of the cybersecurity data using natural language processing) in order to identify an indication of a vulnerable package or portion of code which is being exploited by a given cyber threat.

At S740, VM images including the vulnerable package are identified based on VM image recipes. As noted above, each VM image recipe is a file indicating a set of packages which are combined in order to build a corresponding VM image. Accordingly, each corresponding VM image which is built using one of the VM image recipes which indicates the vulnerable package as one of the packages to be combined may be identified as a vulnerable VM image including the vulnerable package.

At S750, rebuilding is triggered with respect to any vulnerable images including one or more vulnerable packages. To this end, in an embodiment, S750 includes rebuilding one or more vulnerable images. More specifically, any vulnerable images are rebuilt according to their corresponding VM image recipes using patched or otherwise updated packages (e.g., packages containing updated code designed to avoid the identified vulnerability which is being exploited). In yet a further embodiment, rebuilding the vulnerable images includes downloading updated versions of code for use in rebuilding the vulnerable images.

In some embodiments, S750 may further include triggering redeployment of any vulnerable images. To this end, in such embodiments, the rebuilt VM images are pushed to repositories or otherwise provided to servers used for deploying virtual machines defined by respective VM images. In a further embodiment, such servers may be commanded, instructed, or otherwise prompted to retrieve and redeploy the updated version of each vulnerable image currently being used by each server.

At optional S760, an alert may be generated. The alert may indicate, for example, that one or more VM images have been redeployed, which packages were identified as vulnerable, which vulnerabilities were being exploited, which VM images have been redeployed, and the like. The alert may be sent, for example, to a user device (e.g., the user device 140, FIG. 1). When

It should be noted that FIG. 7 is discussed with respect to identifying one vulnerable package, but that multiple vulnerable packages may be identified without departing from the scope of the disclosure. VM images containing any identified vulnerable packages may be identified and redeployed as described above.

FIG. 8 is an example schematic diagram of a VM image manager 111 according to an embodiment. The VM image manager 111 includes a processing circuitry 810 coupled to a memory 820, a storage 830, and a network interface 840. In an embodiment, the components of the VM image manager 111 may be communicatively connected via a bus 850.

The processing circuitry 810 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), graphics processing units (GPUs), tensor processing units (TPUs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.

The memory 820 may be volatile (e.g., random access memory, etc.), non-volatile (e.g., read only memory, flash memory, etc.), or a combination thereof.

In one configuration, software for implementing one or more embodiments disclosed herein may be stored in the storage 830. In another configuration, the memory 820 is configured to store such software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the processing circuitry 810, cause the processing circuitry 810 to perform the various processes described herein.

The storage 830 may be magnetic storage, optical storage, and the like, and may be realized, for example, as flash memory or other memory technology, compact disk-read only memory (CD-ROM), Digital Versatile Disks (DVDs), or any other medium which can be used to store the desired information.

The network interface 840 allows the VM image manager 111 to communicate with other systems, devices, components, applications, or other hardware or software components, for example as described herein.

It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in FIG. 8, and other architectures may be equally used without departing from the scope of the disclosed embodiments.

It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.

The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software may be implemented as an application program tangibly embodied on a program storage unit or computer-readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer-readable medium is any computer-readable medium except for a transitory propagating signal.

All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.

It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise, a set of elements comprises one or more elements.

As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.